PfSense to centos 5 racoon
I have an site to site IPsec VPN up and running for about two years between two pfSense machines at our school that i maintain without an hicup. I wanted to add my home site to both of these machines. My home server is centOS 5.x. I am trying to establish the vpn with the native racoon. I have tried all different combinations of encryption on the pfSense
machine(s) and get the exatct same error,on BOTH of the pfSense machines, regardless of what I try.
Bottom line on th Centos machine I get ,,,error :" hash mismatched"
on the pfSense machine,I get,,,"racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Feb 21 18:51:42 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
I simply use the configuration the the Centos system-config-network gui generates,to racoon.conf and looks simple enough,,and as it should work.
using 3des and sha1 on the Centos side and matched on pfSense machine.
the logs from each endpoint are attched below.
[Ipsec VPN site to site.txt](/public/imported_attachments/1/Ipsec VPN site to site.txt)
should be easy, can just copy what we generate in /var/etc/racoon.conf, only flipping the local and remote subnets and other IP info as required. Something not matching up there from what the logs show.
Thank You kindly for the reply/information. Interesting in that after taking your advice the system-config-network gui when setting up the Ipsec VPN there,,it writes absoutley noting in racoon.conf in regards to the sainfo section of the file. i verifyed this by saving what I had and then created a new blank racoon.conf.
I have gotten past the phase 1 negotiation but the conncetions fails with this on the pfSense machine:
Feb 23 19:55:11 racoon: ERROR: not matched
Feb 23 19:55:11 racoon: ERROR: no suitable policy found.
Feb 23 19:55:11 racoon: ERROR: failed to pre-process packet.
On the CentOS machine I get the following:
Feb 23 19:55:01 server1 racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx<=>xxx.xxx.xxx.xxx
Feb 23 19:55:01 server1 racoon: ERROR: unknown notify message, no phase2 handle found.
It appears the enryption,,and or hash algo(s) dont match but they do in fact look identical
here is the sainfo section of racoon.conf. This is mirroed from the pfSense machine onto the CentOS machine:
sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any
lifetime time 86400 secs;
pfs_group = 2 ;
The lifetime times are identical on each end point.
Replying to my own thread here.
I just wanted to report that I did get this site to site Ipsec vpn functioning. After many days of wrangling, I did have to get familiar with doing the setkey structure to get the vpn up.
My old CentOS 5 box kernel is getting long in the tooth.
2.6.18-8.1.6.el5 #1 SMP Thu Jun 14 17:46:09 EDT 2007 i686 i686 i386 GNU/Linux
This may in fact be part of the problem, but I can not really pinpoint this as even part of the probllem.. I simply can not update the kernel as I have had an Asterisk PBX running flawless for almost 5 years running and dont want to break with an kernel update.
I updated the ipsec-tools package from the repos 0.6.5 to a self built 0.8.0 ipsec-tools rpm. This did not make any difference,as I was hoping this may be the cure.
After umpteen configuration changes to racoon.conf on both local and remote machines,I always wound up with the following error regardless,of what i changed to:
ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
Always would get phase 1 to complete but never phase 2 as it failed with the above error.
I did find my kernel does not suppoort fips,and dont know if this is a burden or not in trying to make this work?
After reading MANY setkey shell script examples, i setup one to suit my CentOS box and the remote pfSense machine and sure enough the VPN linked up without a hitch.
I guess I am not at all familar with how racoon racoonctl,and setkey hooks togther as I was to the understanding these all played together seamlessly.
I know more now how racoon works,,,if nothing else,out of all of this.
I would guess there is surely a more transparent way of making this work,,but I simply couldnt get it without the setkey shell script to run first.
Just posting this hoping it may help someone else down the road. :'(